Use a custom certificate for Tanium ODJ and Tanium PXE

By default, the Tanium PXE and Tanium ODJ services create and use a self-signed certificate for HTTPS (TLS) communication. Because these self-signed certificates are not trusted by client devices, TLS-related errors are ignored. If you cannot ignore these TLS-related errors, the self-signed certificates could be added to the “Trusted Root Authorities” for the machine (for Windows, or the equivalent on MacOS or Linux).

As an alternative, Tanium ODJ and Tanium PXE can support the use of a customer-supplied certificate. This certificate must be provided as two files: a .PEM file that contains the certificate itself and a .KEY file that contains the private key for that certificate.

Although you can create a certificate in this format using multiple mechanisms, the following instructions use Active Directory Certificate Services.

Create a certificate template

Because Tanium ODJ and Tanium PXE services are effectively web servers, it makes sense to use a web server-based certificate template as a starting point. Because this certificate must be configured with the IP address of the computer, as a subject alternative name (SAN), and to allow exporting the private key of the certificate, a new template must be created. For instructions on how to duplicate a certificate template, see Microsoft Documentation: Configure the Workstation Authentication Certificate Template.

After duplicating the Web Server template, make the following changes to the new template.

  1. On the General tab, enter a unique name for Template display name.
  2. On the Request Handling tab, select Allow private key to be exported to allow the private key to be exported.
  3. On the Subject Name tab, select Supply in the request to specify that the information can be provided in the request.
  4. On the Security tab, select Allow to grant Enroll access to the appropriate set of computers, such as a group that contains the computer accounts for the endpoints that run the Tanium PXE and Tanium ODJ services.
  5. Click OK and close the Certificate Templates MMC.
  6. In the Certificate Authority MMC, right-click Certificate Templates and click New > Certificate Template to issue to publish the new certificate template to Active Directory.


Create the certificate

On the computer where you want to use the new certificate, follow these steps to create the certificate.

  1. Open the Certificates MMC for the computer, right-click Personal and click All Tasks > Request New Certificate... to open the certificate properties.
  2. Select the new template that you previously created and then click the Click here to configure settings link.
  3. In the Subject tab, enter a common name and IPv4 alternative name and then click OK and then Enroll to create the certificate.
  4. Verify that the certificate was created and includes the IP address information.

Export the certificate

  1. Right-click the certificate and click All Tasks > Export... to open the Certificate Export Wizard.
  2. Select Yes, export the private key and then click Next.
  3. Select Password: to password-protect the exported certificate, enter a password, and then click Next.
  4. Specify a name for the exported certificate, such as TaniumTLS.pfx.

Convert the certificate

The Tanium ODJ and Tanium PXE services require a certificate in the PEM format, with the certificate and private key stored in separate files. You can download and use the open-source openssl utility.

  1. Open a command prompt, enter the following command to convert the certificate, and enter the password that was provided in Export the certificate.

    openssl pkcs12 -in TaniumTLS.pfx -clcerts -nokeys -out TPXE.cer

  2. Enter the following command to export the private key and enter the password.

    openssl pkcs12 -in TaniumTLS.pfx -nocerts -nodes -out TPXE.key

  3. Use Notepad or another text editor to edit the TPXE.pem and TPXE.key files as follows.
    1. Remove the lines prior to -----BEGIN CERTIFICATE----- from the TPXE.pem file and then save the changes.
    2. Remove the lines prior to -----BEGIN PRIVATE KEY----- from the TPXE.key file and then save the changes.

Copy the certificate

After the certificate is converted, you can copy the files to <Tanium Client>\Tools\Provision\cert as follows:

  • For Tanium PXE: TPXE.cer and TPXE.key
  • For Tanium ODJ: ODJ.cer and ODJ.key

If the server is running both Tanium PXE and Tanium ODJ, copy the files twice so that you end up with four files.

Restart the service

After the certificate and key files are copied to <Tanium Client>\Tools\Provision\cert, restart the Tanium PXE and Tanium ODJ services to use the new certificates. Validate that the certificates are being used by accessing the following web sites using a browser:

  • For Tanium PXE: https://<your_PXE_Server>:<your_PXE_port>/ (Example: https://10.102.1.101:17530/)

    This request returns 404 page not found with no server certificate errors.

  • For Tanium ODJ: https://<your_ODJ_Server>:<your_ODJ_port>/ (Example: https://10.102.1.101:8100/)

    This request returns Invalid request with no server certificate errors.

The HTTPS/TLS cache port for Tanium PXE is configurable in the Provision Settings and the port for Tanium ODJ is configurable when you create an ODJ endpoint.